IS AUDITING GUIDELINE AUDIT DOCUMENTATION

(Revision of Previously Issued SISAS 6)

Introduction The specialised nature of information systems (IS) auditing, and the skills necessary to perform such audits, require standards that apply specifically to IS auditing. One of the Information Systems Audit and Control Association, Inc. (ISACA goals is therefore to s s) advance globally applicable standards to meet this need. The development and dissemination of IS Auditing Standards are a cornerstone of the ISACA professional contribution to the s audit community. Objectives The objectives of the ISACA IS s Auditing Standards are to inform Scope and Authority of IS Auditing Standards The framework for the ISACA IS s Auditing Standards provides for multiple levels of standards, as follows: Standards define mandatory requirements for IS auditing and reporting. Guidelines provide guidance in applying IS auditing standards. The IS Auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure. Procedures provide examples of procedures an IS Auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The ISACA Code of Professional Ethics requires members of the ISACA and holders of the Certified Information Systems Auditor (CISA) designation to comply with IS Auditing Standards as adopted by the ISACA. Failure to comply with these standards may result in an investigation into the member's or CISA holder's conduct by the ISACA Board or appropriate ISACA committee, and ultimately in disciplinary action. Development of Standards, Guidelines and Procedures The ISACA Standards Board is committed to wide consultation in the preparation of IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The Standards Board has an on-going development programme, and would welcome the input of members of the ISACA and holders of the CISA designation to identify emerging issues requiring new standards products. Any suggestions should be e-mailed (research@isaca.org), faxed (+1.847. 253 .1443), or mailed (address at the end of Guideline) to ISACA s International Office for the attention of the Director of Research, Standards and Academic Relations. Withdrawal of Previously Issued Documents This Guideline replaces the previously issued Statement on Information Systems Auditing Standard (SISAS) Number 6 on Audit Documentation . SISAS 6 will be withdrawn on 1 September 1999. This material was issued on 1 May 1999.

n IS Auditors of the minimum level of

acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS Auditors n Management and other interested parties of the profession s expectations concerning the work of practitioners The objective of IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.

Information Systems Audit and Control Association 1998-1999 STANDARDS BOARD Chair, Lynn Christine Lawton, CISA, FCA, FIIA, PIIA KPMG, United Kingdom John W. Beveridge, CISA, CFE, CGFM Commonwealth of Massachusetts, USA Marcelo Abdo Centeio Companhia Siderurgica Nacional, Brazil Claudio Cilli, CISA Ernst & Young, Italy Svein Erik Dovran, CISA The Banking Insurance and Securities Commission of Norway Stephen W. Head, CISA, CPA, CPCU, CMA, CFE, CISSP, CBCP Royal & SunAlliance, USA Fred Lilly, CISA, CPA Fred L. Lilly, CPA, USA Ai Lin Ong, CISA, ACA, PA PricewaterhouseCoopers, Malaysia David W. Powell, CISA, FCA, CIA Deloitte Touche Tohmatsu, Australia

1.

BACKGROUND

1.1 Linkage to Standards 1.1.1 Standard 060.020 (Evidence) states During the course of the audit, the Information Systems Auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. 1.1.2 Standard 070.010 (Report Content and Form) states The Information Systems Auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of audit work. The audit report is to state the scope, objectives, period of coverage, and the nature and extent of the audit work performed. The report is to identify the organisation, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions and recommendations and any reservations or qualifications that the auditor has with respect to the audit. 1.2 Need for Guideline 1.2.1 The purpose of this Guideline is to describe the documentation that the IS Auditor should prepare and retain to support the audit. 1.2.2 This Guideline provides guidance in applying IS auditing standards. The IS Auditor should consider it in determining how to achieve implementation of the above Standards, use professional judgment in its application and be prepared to justify any departure. 2. 2.1 PLANNING

2.1.2 Documentation should include, at a minimum, a record of: The planning and preparation of the audit scope and objectives The audit programme The audit steps performed and audit evidence gathered The audit findings, conclusions, and recommendations Any report issued as a result of the audit work Supervisory review 2.1.3 The extent of the IS Auditor s documentation will depend on the needs for a particular audit and should include such things as: The IS Auditor understanding of s the area to be audited and its environment The IS Auditor understanding of s the information processing systems and the internal control environment The author and source of the audit documentation and the date of its completion Audit evidence and source of the audit documentation and the date of completion The auditee response to s recommendations 2.1.4 Documentation should include audit information that is required by law, by government regulations, or by applicable professional standards. The documentation should be clear, complete and understandable by a reviewer. 2.2 Documentation Custody, Retention and Retrieval 2.2.1 Policies and procedures should be in effect to ensure appropriate custody and retention of the documentation that supports audit findings and conclusions for a time sufficient to satisfy legal, professional, and organisational requirements. 2.2.2 Documentation should be organised, stored, and secured in a manner appropriate for the media on which it is retained and should continue to be retrievable for a time sufficient to satisfy the policies and procedures defined above. 3. EFFECTIVE DATE

Web Site: http://www.isaca.org

Documentation Contents 2.1.1 Information systems audit documentation is the record of the audit work performed and the audit evidence supporting the IS Auditor findings and s conclusions. Potential uses of documentation include: n Demonstration of the extent to which the IS Auditor has complied with the IS Auditing Standards n Assistance with planning, performance, and review of audits n Facilitation of third-party reviews n Evaluation of the IS auditing function quality assurance s programme n Support in circumstances such as insurance claims, fraud cases, and lawsuits n Assistance with the professional development of the staff

3.1 This Guideline is effective for all information systems audits beginning on or after 1 September 1999.

Copyright 1999 Information Systems Audit and Control Association 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Telephone: +1.847.253.1545 Fax: +1.847.253.1443 Email: research@isaca.org

Page 2 of 2 Audit Documentation Guideline Version I-1.0